If a user is given ANY Moderator permission, that user can view and edit hidden Custom Profile Fields in their UCP and can view them for other users in Profiles and memberlist.
Apparently, this is intended behavior, because in includes/functions_profile_fields.php, we have:
// Show hidden fields to moderators/admins
if (!$auth->acl_gets('a_', 'm_') && !$auth->acl_getf_global('m_'))
The issue is whether it should be intended. There is really no reason a simple forum moderator with the power to, say, approve posts, should be able to see everyone's hidden CPFs, or even their own. It should be a separate permission, if desired.
And in any event, the explanatory text in the ACP, Users and Groups, Custom Profile Fields, is incorrect under the present status of the CPF permissions, since it says:
Hide profile field:
Hide the profile field from all other users except the user, administrators and moderators who are still able to see this field. If the Display in user control panel option is disabled, the user will not be able to see or change this field and the field can only be changed by administrators.
So, I recommend one of the following, in order of preference:
1. Modify the code so no one can see or edit the hidden CPFs in Memberlist or Profile or UCP and therefore only those with the Admin permission "Can manage custom profile fields" could see them, or
2. Modify the code so only those those with the Admin permission "Can manage custom profile fields" could see hidden CPFs in Memberlist or Profile or UCP, or
3. Modify the code so that only Admins could see the hidden CPFs in Memberlist or Profile or UCP.
But if none of that is done, at a minimum the text in the ACP should be changed to indicate that both admons and moderators can see and edit the hidden CPFs.